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Act 1: Once Upon a Time... 



1 handle petabytes* of data every 
day. from encrypting juicy Top Secret 
intelligence to boring packets bound 
for your Wifi rou-xcr, I do it all! 



... and still no one. seems to care 
about me or my story. 




I've got o\ better-than-Onderella 
story as 1 made my way to become 
king of the block cipher world. 

I 




WhoaJ You're still there. You w^nt 
to hear it? Well lets get started.,. 




Once upon a time,* there was no 
good way for people outside secret 
agencies to judge good crypto. 



/ 



EBGI3 yf terng! 




Pouble ROTB 
is better! 



* pre -H75 for the general public 
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land 



to 



e went throughout the 

find a good, secure, algorithm. 




NBS 



One worthy competitor named 
Lucifer came forward. 




After being modified by the Nations! 
Security Agency (N5A), he was anointed 
as tne ata Encryption Standard 



1 anoint thee as 




!D£S ruled in the land for over 20 years. 
Academics studied him intently. For the 
first time, there was something specific to 
look at. The modern field of cryptography 
was born. 



"... to the beat of our 
knowledge, PES is free 
from any statistical or 



mathematical weakness. 



\ 



NSA 




7V 



Check out that 
feistel network! 




zzz 



I Over the years, many attackers challenged 
PES. He was defeated ir> several battles. 




The only way to stop the attacks was to use 

PES 3 times in row to form "Triple -pes: Thi* 

worked, but it was awfully slow. 




[Another d 




* ~ early 1117 



went out 



We need something at 
S least as strong as 

Triple-P£S, but it has 
to be fast and flexible. 



This eoJl rallied the crypto wizards 
to develop something better 




My creators, Vincent Rijmen and Joan 
P^men, were Among these crypto wizards. 
They combined their last names to give me 
my birth name: Rijndael.* 




* That's pronounced "Rhine Pahl* for the non "Belgians oat there. 



Everyone got Together to vote And.../ 



Vote for me! 




Final Round 




f 1 J 



...and now I m the new king of the crypto 
world. You can find me everywhere. Intel 
is even putting native instructions for me 




Any cjwes+ions? 




Weird. I'm out 

/ 




Act 2: Crypto Basics 



Great question! You only need to 




Big Idea #h Con 




It's a good idea to obscure the relationship 
between your real message and your "encryptec 
message. An example of this 'eon-fusion* is the 
trusty oY Caesar Cipher: 




Pl*»nte*t: ATT ACK AT PAWN 
I illU * 44* 

Ciphertext: PWWPfN PW &PZQ 



A + 3 letters = P 



B13 2de<x #2: PiffosionJ 

It's also a good idea to spread out the 
message. An example of this "diffusion* 




Big Idea #3: Secrecy Only in the Key 



After thousands of years, we learned 
that its a bad idea to assume that no 
one knows how your method works. 
Someone, will eventually find that out. 




Tell me how it works! 

No problem! It's 
on Wikipedio, but 
J don't know the 
key. 

.Jurats! 




BETTER 



l^aes that answer 
your question? 




Act 3: Details 



I'd be happy to tell you 
how I work but you have 
to sign this first. 

Oh.,, what's that? 

/ 
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foot •Shooting 
Prevention Agreement 

I, , , promise that once. 

Your Name 

1 see how sim pie A£S really is, I will 
not implement it in production code, 
even though it would be really fun. 

This agreement shall be in effect 
until the undersigned creates a 
meaningful interpretive dance that 
compares and contrasts cache-based, 
timing, and other side channel attacks 
and their count ermeasures. 




Signature 



J take your data and load it 
into this 4x4 square.* 




ATTACK AT PAWN! 
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* This is the 'state matrix" that I carry with me at all times. 



The initial round has me xor each input 
with the corresponding byte of the 
first round key. 
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A Tribute to XQR j 



There's a simple reason why 1 use xor to apply the key 
and in other spots: it s fast and cheap — a quick bit 
flipper. It uses minimal hardware and can be done in 
parallel since no pesky 'carry* bits are needed. 




Key Expansion: Fart I 



erive a 




I need lots of keys for use in later rounds, I d 
of them from the initial key using a simple mixing 
technique that's really fast. Pespite its critics * it's 
good enough. 
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InitiAl Key 
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By far, most complaints against A£S's design focus on this simplicity. 



Key Expansion: Fart 2a 



0 



I) J take the last column of the previous round key 
and move the top byte to the bottom: 

/ 
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ANext, J run each byte through a substitution box 
that will map it to something else: 




I Key Expansion: Fart 2b f 



I then xor the column with a "round constant 

that is different for each round. 

/ 



H 




01 




[ko J 

1 1^ -d*-. 1 






oo 




[ge/ 


si 








b7| 




finally, I xor it with the first column of the 
previous rounA key^ 




New first 
column 



Key Expansion; Fart 3 



The other columns are super-easy,* J just xor the 
previous column with the same column of the 
previous round key. / 




Column from 
previous 
round key 
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New 


^Vund key 



* Note that 256 bit keys are slightly more complicated. 



Next, I start the intermediate rounds. A round 
is just a series of steps I repeat several times. 
The number of repetitions depends on the size 
of the key. 




13 256 



Applying Confusion: Substitute Bytes j 



I use confusion to obscure the 

relationship of each pyte. I put each byte 
into a substitution box (sbox), which will map 
xit to a different byte: 
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P«not«s 
contusion 



P- i> 4> 



Applying ^Diffusion, Fart I: Shift Rows 



Next I shift the rows to the left 




^permutation" 



ing diffusion, F^rt 2: Mix Columns 




m 



ppiying Key Secrecy: Add 



Round Ke)y 



At the end of each round, 1 apply the next round 
with an xor: 
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* 







do a c7 * 17 



In the final round, I skip the "Mix Columns" 
step since it wouldn't increase security* 




own: 



A 

The diffusion it would provide wouldn't go to the next round. 



...and that's it. Each round I do makes the bits 
more confased and diffused- It also has the key 
impact them. The more rounds, the merrier! 



/ 





'Security &\way$ comes at o\ cost to performance* ~ Vincent Rijmen 



When I was being developed, a clever guy was able 
to find a shortcut p*th through 6 rounds. That's not 
good! If you look carefully, you II see that each bit of 
a round's output depends on every bit from two 
rounds ago. To increase this diffusion "avalanche," 
I added 4 extra rounds. This is my "security margin." 




Theoretically 
'broken" 




eeunty margin 
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So in pictures, we hdtve this: 




One last tidbit: 1 shouldn't be used as-is ( but 
rather as a building block to a decent "mode." 



Electronic Codebook Mode 
(ECB) 



Input 




Cipher-block Chaining 

(CBCJ 

Initialization Input, J n put. 
Vector (IV) -J ^ ^ ^ ± 

Key ^{a£^ /Key 

Output, Output 




B 



etter 



Make sense? Pid that 
Answer your question? 



Almost. ..except you j«st 
waved your nands And 
used weird analogies. 
What really happens? 

/ 




Another great question! It's 
not hard, but... it involves 




Act 4: Math! 



Let s go back to your algebra class.. y 




Well change things slightly. In the old wa 
coefficients could get as big as we wante 
In the new way, they can only be 0 or I: 



Old Wa 



I23x 2 +45x 2 *678x + ^x+IO 
I68x 2 +687x+l0 

\ / /* 

Big coefficients 



New Way 
x 2 *x 2 0x 2 0 x#x© I 



e new a 



SmoJI coefficients 

x 2 ax 2 d x 2 * (x 2 a x 2 ) e x 2 

= 0<&x 2 
-x 2 



dd* 



♦Nifty fact: In the new way, addition is the same as 
subtraction (e.g. x©x=x-x=o) 



Remember how multiplication could 
make things grow fast? 



x 7 +x 5 + x 3 + x)*(x 6 +x 4 +x 2 + 1) 

- x 7 *W +4 +x 7+ W +0 +x 5+6 +x 5+4 +x 5+2 +x 5+0 
+x 3+ ^x B+ Vx 3+2 +x 3+0 +x l+6 +x ,+4 + x 1 * 2 +x l+D 

- x l3 + x l, +xVx 7 +x ,, +xVx 7 +x 5 +x 8| +x 7 +x 5 +x 3 +x 7 'fX 5 +x 3 +x 
r x i3 + X n + X n + yp+yp+tf +x 7 +x 7 +x 7 +x 7 +x 5 +x 5 +x 5 +x 3 +x 3 +x 

-x l3 +2x"+3x^4x 7 +3x 5 +2x 3 +x 

Big ado yucky! 

n ^ 



With the "new" addition, things are simpler, 
but the x l3 is still too big. Lets make it so 
we can't go bigger than x 7 .++ow can we 
/ do that? 

x l3 @2x" ff 3x^ ©4x 7 #3x 5 ® 2x B © x 
z) x t3 @0x il @x^®0x 7 ®x s ®0x 3 @x 
2 x B ©x 1 9x 5 fix 



We use our friend, "clock math*/ to do this. 
Just add things up and do long division. 
Keep a close watch on the remainder: 

/ 

4 o'clock + 10 hours = 1 o'clock 
+ 10 hours - 











mm 


mm 











♦ This is also known as modular add Math geeks call this * 

*gro«p." AES «ses a special group called a "finite field." 




We e«n do "clock" moth with polynomials. Instead of 
dividing by 12, my creators told me to use 
•""(*) = x 8 $x 4 gx 3 ©x@l. Let's say we wanted to multiply 
x-b(x} where bCx^has coefficients b^.-bo 1 



x'b( x ) 

x.( b 7 x 7 ©b 4 x s ©b5X s a b/ab^b^ b,x©b 0 ) 
b 7 x 9 ©b 6 x 7 $b s x*©b H x 5 *b 3 x 4 ©b 2 x 3 *b,x 2 ^b 0 x') 

£eek!x s is too big. We must make it smaller. 




ember that each b n ^e.g. b 7 ) is either 0 or I. 



We divide it by m60- x 8 ax 4 #x 3 0x0»l And t^ke the 
remainder: 

/ £ 

^ Q b 7 x 8 ©b 7 x 4 ©b 7 x 3 eb 7 x«b 7 

b^ffibsx^b^x^^ffib^x^Cbieb^x 3 

ffib|X 2 ffl(b 0 ©b 7 )x@b 7 



Remainder 



b^^bs^Sb^ffibaX^b^eb, J^SboX 

©b 7 (x 4 ©x 3 ffix©l) 

Note how the b's are / 
shifted left by I spot. This is just bj 

multiplied by a 
small polynomial. 




Now we're ready for the hardest blast from the 
past: logarithms . After logarithms, everything else 
Is cake! Logarithms let us tarn multiplication 
into addition: 

loq(x-y) = loq (x)"Hoq(y) 

So... Iog(l0 IOo)- \o^(\d)+\o^(\d 2 ) 

z 2 + 1 -3 

n reverse: 

log" 1 (|) ^10 '-10 
|©g'(l)*l0 2 *IOO 
£L, lo 3 ' l (3)=|0 3 =l,000 



:> 10 100-1,000 



We can use logarithms in our new world. Instead of 
using 10 as the base, we can use the simple 
polynomial of x®l and watch the magic unravel.* 




- xffi>l 



(x0l}(xe>l) ^x^x^i^i 

(x® l) (x6>l) -x 3 ©x 2 8x0| 



a... 



log (xf)l) =| ( log (x 2 ©l) =2, log (x 3 €>x 2 «)x©l) =3 

*(BI x(8l x©| 



you keep multiplying by(x#l) And then take the remainder 
after dividing by m(x), you II see that you generate all passible 
polynomial below X s .This is very important! 




Why bother with all of this math?* Encryption 
deals with bits and bytes, right? Well, there's 
one last conncariom a 7 th degree polynomial can 
be represented in exactly t byte since the 
new way uses only 0 or I for coefficients: 

/ 

X 4 ©X 3 $X<&| 

n0x 7 e Ox 6 ©Ox 5 eix 4 fi lx 3 0Ox 2 $lx6> I 

4 4 I * I J, 

^0 0 0 I, J 0 I I 





^Wo= ^^hexadecimal 



A single byte!! 



* Although we'll work with bytes from now on, the math makes 
sure everything works out. 





With bytes, polynomial addition becomes a 
simple xor. We con use our logarithm skills to 
m a ke o t^ble for speedy multiplication.* 

(x 4 ©x 3 4>x® l)$(x 7 fcx 5 ®x 3 fcx) 

lb fl) f byte xor 

- bl 

- x 7 6x 5 ex 4 d?l 

(x 4 £x B 0x© I) *(x 7 fcx 5 $x 3 ©x) 

z |^ - AA logarithm toble lookup 

=>log( lb ) * log(**)- cS+ if = e7 

^inverse t^ble lookup 
->log"'(e7)z8c^ lb ^ 

- x 7 fe>x B 4>x 2 

can create the table as we keep multiplying by(x©|). 



Since we know how to multiply, we can find the 
"inverse" polynomial byte for each byte. This is the 
byte that will undo/invert the polynomial back 
to I. There are only 255* of them, so we can use 
brute force to find them; 




ere are only 255 instead of 256 because O has no inverse. 



Now we coin understand the mysterious s~box. It 
takes a byte *a" and applies two functions. The 
first is "g" which just finds the byte inverse. The 
second is "f which intentionally makes the math 
uglier to foil attackers. 




- a 



-i 



Mill 000 
0 I M I I 00 
00 I I I I ( 0 

000 Mill 
I OOOI I I I 

1 I OOO I I I 
I I I OOO I I 
I I I I 000 
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We can also understand those crazy round 
consents in the key expansion. 1 get them by _ 
starting with T and then keep multiplying by V 
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first 10 round constants 



Mix Columns is the hardest. I treat each column as a 
polynomial. I then use our new multiply method to multiply 
it by a specially crafted polynomial and then take the 

ainder after dividing byx 4 +I.This all simplifies to a 
matrix multiply: 




bCxJccCx)* a(x) mod x 4 + I 



^03x^x^1x^2) ^^^^x ^ mod x 4 +! 

t ^°| special polynomial 
03a 3 -x 2 +fe<ft o +g^x 



the column 



•Oia 3 x 5 +OI 



+Ola 3 x 4 +Ota 2 x 3 +Ola,x 2 +Oia 0 x+ 02a B x 3 +O2a 2 x 2 +O2a l x +O2o 0 
^ 03a 3 x*+03a 3 x 2 

3a^*3a/*Ba^f^^+ a 2 x 4 +a,x 3 +a 0 x 2 +a 3 x t +a 2 )r s + a | x 2 +a 0 x+2a 3 x : 

+ 2a 2 x 2 + 2a,x +2a 0 +3a 3 x 2 
3 a 2 x 5 + o^x 5 * 3 a 2 x + a 3 x 



3a,x 4 +3a 0 x 3 + a^a^o^ 2 * a B x 4 + a 2 x 3 +a J x 2 +a 0 x+2a 3 x 3 +2a 2 x 2 +2ax+2a 0 
+3a 3 x 2 +3a 2 x + a 3 x 
flfBajfg j^Jxl (Ba+a^aJ 

C2a 3 +a 2+ a i +3aJx*+^B* 3 +2a 2 +a l+ a 0 )x 2 ^ 
+(03+30^2^+0^ t£a 3+ .a 2 +3a f +2a 0 ) 
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Cnvep e 



Whoa.., I think J get it now. It's 
relatively simple once you grok the 
pieces. Thanks for explaining it. I 




B«t there's so much more to talk about: my 
resistance to linear and differential 
cryptanalysis, my Wide Trail Strategy, 
impractical related-key attacks, and.., so much 
^ more... bat no one is left. 




Oh welL, there's some boring 
router traffic th<xt needs to 
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